A bug in present in git-daemon since 1.4.4.5 can cause a denial of service by sending the git-daemon process into an infinite loop. This is discussed in the git list thread starting at:
http://thread.gmane.org/gmane.comp.version-control.git/120724
The fix was applied the maint branch and can be seen at:
http://git.kernel.org/?p=git/git.git;a=commitdiff;h=73bb33a9
I posted about this to fedora-security-list a day or so ago:
http://www.redhat.com/archives/fedora-security-list/2009-June/msg00000.html
Of the active Fedora/EPEL branches, only devel and F-11 are recent
enough for this to apply cleanly. The other branches required a small
amount of reworking to account for changes made to git-daemon since
the releases those branches were based upon. I don't think the
backporting is all that difficult, but I am not a strong C coder. Any
extra eyes on my backported patches would be most helpful.
A simple way to test this against a git server, taken from the initial
patch in the git list thread above:
$ perl -e '
$s="git-upload-pack git\0user=me\0host=localhost\0";
printf "%4.4x%s",4+length $s,$s
' | nc $GITHOST 9418 # or git-daemon --inetd --base-path=`pwd` --export-all
This will cause the git-daemon process spawned via xinetd to enter an
infinite loop. New requests will still be handled, as xinetd will
spawn a new git-daemon process. But, of course, an attacker can
easily cause many git-daemon processes to be started that will not
exit.
I've created patched packages with the backported patch for EL-{4,5}
and F-10 (F-9 is in sync with F-10, so the same spec/srpm should work
there). These packages and patches against current CVS are at:
http://tmz.fedorapeople.org/tmp/git-daemon-extra-args/
(Apologies for the minor non-related changes in some of the diffs, as
those were changes I had slated for release soon and didn't want to
revert at the last minute.)